PS3 Dump_Rootkey Code and Brief Guide Arrives from Naehrwert

Following up on his Quick PS3 CoreOS Image Tool code release and recent hints, today PlayStation 3 developer Naehrwert has made available PS3 Dump_Rootkey code and a brief guide below so users can dump their own PlayStation 3 root key without Linux.

Naehrwert has also confirmed that Asbestos PKG only works in 3.41. He has posted the AsbestOS and Source Code to change the offset for people to adapt it to other PS3 Firmware versions and tul compiled the ELF to an AsbestOS 3.55 PKG file.

Additionally, jrtux compiled the AsbestOS stage2 for 3.55 with the Toolchain as naehrwert commented on Twitter, stating: "this is the modified stage2 I'm using (I guess you can change the entry and compile this yourself)"

Danixleet has also compiled the PS3 Dump_Rootkey and notes use includes bat file to run the dump_key and just replace with your IP followed by another compilation that assumes the user has everything ready (3.41 lv2 peek/poke) then simply drop "metldr" from console into "data".

If not.. check your connection between PS3/router, make sure nothing is blocked or add the trusted IP's to dump_rootkey in firewall and ping must be allowed, each setup is diff.. if it fails check your firewall/router settings, it worked out of the box for me connected to the wired router.

From the included ReadMe file, to quote: dump_rootkey - 2012 by naehrwert

How-to:

[1] Install asbestos_ldr.g.pkg on your PS3 (a firmware with lv2 peek/poke is required to run it).
[2] Compile the client (make sure PS3HOST in main.cpp points to your PS3).
[3] Make sure you got your metldr in './data' as 'metldr'.
[4] A prebuilt 'dumper' is included in './data' (dumper.elf and build.bat is
included too if you want to change parameters).
[5] Start asbestos_ldr on your PS3.
[6] Start the client on your PC.
[7] Unicorns!

From cory1492: OK, I had to repackage it a couple different ways but once I got it to install it worked great. The ps3 is a slim running 3.41 hermes cfw, when the app starts the PS3 black screened, I then ran the client after editing in my PS3's IP and copying a metldr extracted from my NOR dump over to the folder as instructed), compiled under cygwin using the supplied .sh script which is really just a gcc command (I added the ULL to those two vars to fix any problems that 'int is not a long' causes under windows) and got:

I reflashed from 4.11 dex back to hermes to test this easy way to get the RPC server going that doesn't involve installing asbestos and not only does the RPC server work a treat, I can also confirm this release dumped the same EID root key that I had obtained previously via a metldr dump.

I'm a happy camper now, with a RPC server I can just run like an app. Sure beats going back to those old graf dongle payloads thanks naehrwert or marcan, whoever made that pkg!

Tut: follow the info deank posted to use multiman to take a dump of your console flash, and use one of the existing tools to extract the crypted metdlr - that is all you need to do to get metldr for this.

Transfer to your PC and unpack it with norunpack.exe or cex2dex to a folder and grab "metldr" from the "asecure_loader" folder

Put "metldr" into the "metldrpwn" folder on your USB

From aldostools: To get the "metldr", just dump your flash with the latest build of multiMAN: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)

Transfer the dumped file of the NOR or NAND flash (copied to the USB) to your PC, and use norunpack.exe:
norunpack.exe flash.BIN extract_folder. In the extract_folder you will find the "metldr" (59KB) inside the folder "asecure_loader".

An alternative method to extract "metldr" is using the CEX2DEX application by Gunner54. You first have to downgrade to 3.55 (DEX or CEX), to apply any flash patch using multiMAN.

This one is not working for me. I have 3.55 CFW and built dump_rootkey.exe and started it while running the 3.41 version of the included tool on the ps3 - the 3.55 version will just exit when starting.

I get the Info "Connecting to 192.168.254.2 ..." when connecting to 192.168.0.2... i tried forcing 192.168.0.2 but it won't work.